system logging is not
Marty Landman
mlandman at face2interface.com
Wed Feb 15 12:28:16 UTC 2006
At 09:50 AM 2/14/2006, McDougall, Marshall (FSH) wrote:
>The fact that most of those files are empty(hacker like activity) and
>there are no .1, .2 etc does not look good. Did you do something at
>18:04?
No, not that I can think of.
> Run a netstat and see what/who you are listening for or connected to.
$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
216.238.192.133 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 216.238.192.133 0.0.0.0 UG 0 0 0 ppp0
$
Look normal, doesn't it?
> Wtmp is time stamped 1.5 hrs later. Run last, it might
>tell you who was there or what id was compromised.
]$ sudo last
marty pts/0 nosoup4u Tue Feb 14 15:42 still logged in
marty pts/0 nosoup4u Mon Feb 13 20:41 - 22:05 (01:24)
root pts/0 :0.0 Mon Feb 13 18:20 - 20:41 (02:20)
root :0 Mon Feb 13 18:20 - 18:46 (00:25)
reboot system boot 2.4.20-8 Mon Feb 13 18:18 (21:39)
reboot system boot 2.4.20-8 Mon Feb 13 18:14 (21:43)
marty pts/1 :0.0 Mon Feb 13 18:06 - down (00:06)
marty :0 Mon Feb 13 18:06 - down (00:06)
marty pts/0 nosoup4u Mon Feb 13 18:05 - down (00:07)
reboot system boot 2.4.20-8 Mon Feb 13 18:04 (00:08)
wtmp begins Mon Feb 13 18:04:26 2006
$
BTW nosoup4u is my Windows workstation - I'm ssh'd into the RH box.
> Look in /tmp for anything unusual. Isolate it from your network.
$ ls -al /tmp
total 572
drwxrwxrwt 12 root root 4096 Feb 14 04:02 .
drwxr-xr-x 20 root root 4096 Feb 13 18:33 ..
drwxrwxrwt 2 root root 4096 Feb 13 18:46 .ICE-unix
-r--r--r-- 1 root root 11 Feb 13 18:46 .X0-lock
drwxrwxrwt 2 root root 4096 Feb 13 18:46 .X11-unix
srwx------ 1 root nobody 0 Feb 13 18:20 .fam_socket
drwxrwxrwt 2 xfs xfs 4096 Feb 13 18:19 .font-unix
srw-rw-rw- 1 root root 0 Feb 13 18:19 .gdm_socket
-rw-rw-rw- 1 root root 464160 Feb 10 10:04 irc.tar.gz
drwx------ 2 joel users 4096 Dec 5 16:27 orbit-joel
drwx------ 2 marty marty 12288 Feb 13 18:13 orbit-marty
drwx------ 2 root root 12288 Feb 13 18:46 orbit-root
drwxr-xr-x 2 marty marty 4096 Dec 3 15:06 samba
-rwxr--r-- 1 root root 44377 Feb 13 18:41 scrollkeeper-tempfile.0
drwx------ 2 marty marty 4096 Dec 11 18:49 ssh-XXRI9PKz
drwx------ 2 root root 4096 Jan 3 13:32 ssh-XXgHv7Ve
drwxrwxrwt 3 marty marty 4096 Jan 26 19:04 uscreens
[marty at BANYAN ~]$ ls -al /tmp/samba
total 8
drwxr-xr-x 2 marty marty 4096 Dec 3 15:06 .
drwxrwxrwt 12 root root 4096 Feb 14 04:02 ..
$
>Good luck.
I removed everything on /tmp and rebooted, system still can't create
/var/log/messages. It also is now unable to start X-Windows on the console.
What might I do next here?
Marty
>-----Original Message-----
>From: redhat-list-bounces at redhat.com
>[mailto:redhat-list-bounces at redhat.com] On Behalf Of Marty Landman
>Sent: Monday, February 13, 2006 8:10 PM
>To: redhat-list at redhat.com
>Subject: system logging is not
>
>
>My RH9 gateway suddenly seems to have developed some problems today. The
>
>only thing special I recall doing was to change from a netgear hub to a
>linksys switch and add an 8th box to my lan. There is also a netgear
>switch
>to which this box is plugged in which used to uplink to the netgear hub
>but
>now uplinks to the linksys switch. All 8 computers were visible from my
>Win
>xp workstation after doing that btw.
>
>Later I noticed that samba didn't seem to be working on my Win XP
>workstation - although it can SSH to the RH box. And it's still
>functioning
>as my LAN gateway. Saw a bunch of attempts on /var/log/samba/.log (is
>that
>a kosher name btw?) evidence of attempted break-ins from a day or two
>ago.
>
>So not knowing what else to do I rebooted - windows user instinct :).
>Noticed during the reboot that system logging and httpd startup both
>FAILED. OTOH using Nautilus from the console I could find the other 7
>computers on the network, but not this computer itself.
>
>Here's some shell stuff that I think illustrates some of what's going
>on:
>
>[marty at BANYAN ~]$ pwd
>/home/marty
>[marty at BANYAN ~]$ ls -al /var/log
>total 324
>drwxr-xr-x 2 root root 4096 Feb 13 18:46 .
>drwxr-xr-x 21 root root 4096 Jul 30 2005 ..
>-rw-r--r-- 1 root root 28509 Feb 13 18:46 XFree86.0.log
>-rw-r--r-- 1 root root 28584 Feb 13 18:20 XFree86.0.log.old
>-rw------- 1 root root 0 Feb 13 18:04 boot.log
>-rw------- 1 root root 0 Feb 13 18:04 cron
>-rw-r--r-- 1 root root 6532 Feb 13 18:18 dmesg
>-rw-r--r-- 1 root root 65631 Feb 13 18:18 ksyms.0
>-rw-r--r-- 1 root root 65631 Feb 13 18:14 ksyms.1
>-rw-r--r-- 1 root root 65631 Feb 13 18:04 ksyms.2
>-rw------- 1 root root 0 Feb 13 18:04 maillog
>-rw------- 1 root root 0 Feb 13 18:04 messages
>-rw------- 1 root root 0 Feb 13 18:04 secure
>-rw------- 1 root root 0 Feb 13 18:04 spooler
>-rw------- 1 root root 315 Feb 13 18:12 sudolog
>-rw-rw-r-- 1 root utmp 30336 Feb 13 20:41 wtmp
>[marty at BANYAN ~]$ df
>Filesystem 1K-blocks Used Available Use% Mounted on
>/dev/hdd1 5278644 2073532 2936972 42% /
>/dev/hda1 99251 9324 84802 10% /boot
>none 127664 0 127664 0% /dev/shm
>/dev/hda2 4035432 33080 3797360 1% /mnt/kramer
>/dev/hdb1 241263968 32998936 196009448 15% /mnt/maestro
>[marty at BANYAN ~]$ top
>top: error while loading shared libraries: libncurses.so.4: cannot open
>shared object file: No such file or directory
>[marty at BANYAN ~]$
>
>
>-----------------------------------------------
>
>At this point I wonder if my computer's been hijacked or somehow
>corrupted.
>Either way not sure what do to next.
>
>Thanks in advance,
>
>Marty
>
>
>Marty Landman, Face 2 Interface Inc. 845-679-9387
>Webmaster's Bulletin Board: http://bbs.face2interface.com/
>Web Installed Formmail: http://face2interface.com/formINSTal
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
Marty Landman, Face 2 Interface Inc. 845-679-9387
Webmaster's Bulletin Board: http://bbs.face2interface.com/
Web Installed Formmail: http://face2interface.com/formINSTal
More information about the redhat-list
mailing list